aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-12-11 01:09:07 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-12-11 04:24:40 +0000
commitb18b853cf9809c1b68a9a1b375dd7d847d584fdc (patch)
tree88bc91dcfb816e8efd3a9342215a11f8cc3f004c
parent7b84983b350dc0e2815ecc165a46481e8eb1a5bf (diff)
downloadaports-b18b853cf9809c1b68a9a1b375dd7d847d584fdc.tar.gz
aports-b18b853cf9809c1b68a9a1b375dd7d847d584fdc.tar.bz2
aports-b18b853cf9809c1b68a9a1b375dd7d847d584fdc.tar.xz
main/jbig2dec: fix CVE-2020-12268
See: #11525
-rw-r--r--main/jbig2dec/APKBUILD13
-rw-r--r--main/jbig2dec/CVE-2020-12268.patch44
2 files changed, 54 insertions, 3 deletions
diff --git a/main/jbig2dec/APKBUILD b/main/jbig2dec/APKBUILD
index 4b3ae405c3..ccdcfb56de 100644
--- a/main/jbig2dec/APKBUILD
+++ b/main/jbig2dec/APKBUILD
@@ -3,7 +3,7 @@
pkgname=jbig2dec
pkgver=0.16
_gsver="gs927"
-pkgrel=0
+pkgrel=1
pkgdesc="JBIG2 image compression format decoder"
url="https://www.ghostscript.com/jbig2dec.html"
arch="all"
@@ -11,7 +11,13 @@ license="GPL-2.0-or-later"
makedepends="autoconf automake libtool"
checkdepends="python2"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/$_gsver/jbig2dec-$pkgver.tar.gz"
+source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/$_gsver/jbig2dec-$pkgver.tar.gz
+ CVE-2020-12268.patch
+ "
+
+# secfixes:
+# 0.16-r1:
+# - CVE-2020-12268
builddir="$srcdir/$pkgname-$pkgver"
@@ -45,4 +51,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="1c1a9b9fc46d40ef3bd6133fd95b02163456e4d9fb271f57c75f4dcc4ace726ec54b8d22f984e4804bbad7f1d018566e522c1924bc8ad2e807d48d57a8851949 jbig2dec-0.16.tar.gz"
+sha512sums="1c1a9b9fc46d40ef3bd6133fd95b02163456e4d9fb271f57c75f4dcc4ace726ec54b8d22f984e4804bbad7f1d018566e522c1924bc8ad2e807d48d57a8851949 jbig2dec-0.16.tar.gz
+e33c6a942af79dfb98c8160bccb0d7e6965d90b77f4e8e370787a9c0af0273001f02d5591b92d4285b901182ea335eb09854ce2fa995266837156b568747aa24 CVE-2020-12268.patch"
diff --git a/main/jbig2dec/CVE-2020-12268.patch b/main/jbig2dec/CVE-2020-12268.patch
new file mode 100644
index 0000000000..773515ae2d
--- /dev/null
+++ b/main/jbig2dec/CVE-2020-12268.patch
@@ -0,0 +1,44 @@
+From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Mon, 27 Jan 2020 10:12:24 -0800
+Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in
+ jbig2_image_compose.
+
+With extreme values of x/y/w/h we can get overflow. Test for this
+and exit safely.
+
+Thanks for OSS-Fuzz for reporting.
+---
+ jbig2_image.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 22e21ef..100263d 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -33,6 +33,9 @@
+ #if !defined (INT32_MAX)
+ #define INT32_MAX 0x7fffffff
+ #endif
++#if !defined (UINT32_MAX)
++#define UINT32_MAX 0xffffffffu
++#endif
+
+ /* allocate a Jbig2Image structure and its associated bitmap */
+ Jbig2Image *
+@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+ if (src == NULL)
+ return 0;
+
++ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) ||
++ (UINT32_MAX - src->height < (y > 0 ? y : -y)))
++ {
++#ifdef JBIG2_DEBUG
++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
++#endif
++ return 0;
++ }
++
+ /* The optimized code for the OR operator below doesn't
+ handle the source image partially placed outside the
+ destination (above and/or to the left). The affected